Re: [Ace] draft-ietf-ace-key-groupcomm-oscore

Jim Schaad <> Tue, 28 May 2019 23:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C541D1200B7; Tue, 28 May 2019 16:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NHwA69CgCWSL; Tue, 28 May 2019 16:06:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0C73B1200A4; Tue, 28 May 2019 16:06:32 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 28 May 2019 16:06:05 -0700
From: Jim Schaad <>
To: 'Francesca Palombini' <>, <>
CC: <>
References: <>
In-Reply-To: <>
Date: Tue, 28 May 2019 16:06:01 -0700
Message-ID: <018501d515a9$ed26d8a0$c77489e0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0186_01D5156F.40CCE2A0"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQHO6Ux8YdSoHFUgmucX9gLJKVkqCaaNe4JQ
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Ace] draft-ietf-ace-key-groupcomm-oscore
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 May 2019 23:06:37 -0000



From: Francesca Palombini <> 
Sent: Tuesday, May 28, 2019 2:29 AM
To: Jim Schaad <>om>;
Subject: Re: draft-ietf-ace-key-groupcomm-oscore 


Hi Jim,

Thanks again for your in depth review. We have identified 7 clear APs from some of your review comments, and we hope that we answer the other (inline). Please let us know if that is ok, and we will update the document as soon as possible.



Francesca and Marco


I was wandering through the document with a view to implementing and have

the following questions:


1.  Abstract: From the first paragraph I am not sure if the group

communications or the communications to the KDC are secured with OSCORE.


[*] Ok, we propose to change “where communications are based” to “where the group communication is based”. The communication to the KDC is up to the profile of ACE used between the joining node and the KDC. (AP1)

[JLS] Should be ok.


2.  Section 3.1 - "requester" seems to be an odd name for "sender" or



[*] This particular document does not consider the concept of publisher. Requester was chosen to identify a client in a group communication setting, i.e. stressing that it sends (group) requests and receives (unicast) responses. Sender would not be correct, as both clients and servers are senders at some point during the message exchange.

[JLS] I will probably complain again at a later date.  My problem is that requester is not the opposite of listener.  A different set might be “requester”, “responder”, “monitor”

3. Section 3.1 - I am trying to figure out why a Gid would be a reasonable

value for the scope.  This means that the AS is going to be the one to

assign the Gid value in many cases as it needs to check the scope value

there.  Is that going to be a common case?  I.e. Are Gids going to be

assigned by administrators?


[*] The Gid of the Authorization Request would be a reasonable scope because the join resource is associated to it (at the GM). The GM receiving a Join Request must be able to retrieve the correct Gid following the access to the join resource. No, the AS does not assign the Gid value (if that is used as scope in the Authorization Request). The AS only needs to check that the client is authorized to get an access token for that scope, regardless that it is a join resource. The Gid is assigned by the resource owner of the join resource at the GM, that is an administrator.

[JLS] Ok – so the answer to my question is yes.  I wanted to be sure it was not a registration process on the KDC (I think).

4. Section 3.1 - Is the form in Appendix C of the Gid in some respect

mandatory?  If it is not, then how does a receiver of a message distinguish

between two different groups that are using the same multicast address?  Is

that going to be a non-supported case?  The most common case of this would

be having two different groups on the default CoAP multicast address talking

to RDs with different permissions at the RD to see things.


[*] As of now, that is just an example, we might reconsider and make this at least mandatory to implement, so it would be good with more feedback on this. The requirements anyway are that in a GM all the Gids are unique, and that a Gid is changed after a group rekeying. The format in appendix C guarantees both. If your second question refers to one node in 2 groups (managed by 2 different GMs), where these 2 Gids collide, then that is up to the application to decide how to deal with it (discard, try both contexts…). We briefly discuss sec cons about it in section 8.5 of core-oscore-groupcomm. However, that is independent from the format of the Gid, as long as the requirements are met.

[JLS] My question dealt with having two different KDCs each of which has a Gid and that Gid collides for some reason.  The groups of the two KDCs are distinct and the resources accessible by those different KDCs are distinct and are quite possibly two different applications.


5. Section 4.1 - I can understand things relative to the key_info blob that

is being returned.  I am not sure that I think that this is being defined

correctly however.  It makes more sense to me to have the following:

key_info = [ sign_alg: COSE_Algorithm, ?sign_parameters : map,

?key_parameters: map ] where the two maps are filled in from the required

fixed parameters from the two COSE registries.  This would end up with

something like the following as a potential value   [ sign_alg: ECDSA,

key_parameters: {'kty':'EC2', 'crv': 'P256'}]


[*] Ok, we can implement that. To make sure we understand your proposal, ‘key_parameters’ are taken from COSE Key Common Parameters and COSE Key Type Parameters registries? 

What about ‘sign_parameters’? Can we be sure that those two field would cover all parameters of existing and future algorithms? If a new algorithm defines its own registry, we would need to add that, and say values from that registry can also be used in this map. (AP2)

[JLS] Sounds good.

6. Section 4.1.1 - why is the key info parameter format application

specific?  I would have assumed that it was the same as in the previous



[*] Right, proposal to change “Its format” to “Its exact content”. (AP3)

[JLS] Sounds good

7.  Section 4.2 - for 'client_cred', I am unsure what the client is supposed

to do if the joining node does not know the countersignature algorithm.  Can

the include public key not be in a consistent format?  What does consistent

format even mean?


[*] Consistent format refers to the key type based on the countersignature algorithm used. If the joining node does not know the countersignature algorithm, it might just omit this parameter, or send a public key as a guess. If the guess is incorrect, the GM will reply as specified in 4.3 (see point 8). 

[JLS] I don’t know what point 8 is – There are 6 points for the outer list and the inner point 8 defines a field and does not define a response.

8. Section 4.3 - I don't understand why the GM is accepting the join request

if the client_cred passed in was not in the correct format.  Is this a typo?


[*] The reason for responding with a non-error response code is to be able to use the payload to provide the key info in a CBOR map. With a 4.XX response, that would not be possible since the payload is supposed to be a diagnostic human readable text string. We are willing to change that if the WG/CoAP experts can confirm that would be ok.

[JLS] So I return a 2.01 in both cases, and based on the content the client needs to determine what is happening?   We are breaking the 4.xx response already in the OAuth framework by returning an error response.  I would think that it would make more sense to continue that trend.

9.  Section 6 - I don't know that the third bullet is in the list of cases

where the client_cred parameter is not required.


[*] Well spotted, and it needs to be clarified. Actually, the third bullet should say that if the PoP key in the access token has the format expected in the group and the client is aware of that, then the client can skip providing its own public key later on in ‘client_cred’. (AP4)

[JLS] Will need to read after update.

10.  Section 6 - What is the POP method for the fourth bullet method?


[*] We address this as well in point 9 of your review comments, to which we say: “Until now, we kept that out of the scope of this and dependent documents (see section 8 of ace-key-groupcomm-oscore), but we are looking to include it.

One possibility we are considering is to sign the key distribution request together with a nonce that was sent from the KDC (for the sake of freshness),  using the private key paired to the public key sent in ‘client_cred’.“

You seemed ok with this, so we will implement it here. (AP5)

[JLS] This is a problem that is going to need to be solved at some point for the OAuth framework as well at some point in the future.  But may be more of a problem here.  You might want to talk to Ludwig about the solution space.

11. Section 6 - What happens if any of first three bullets is true, but the

cached key does not match the required key parameters for the signing

algorithm.  In some of these cases there is no check that any signature

algorithm parameters that might exist are going to be checked and enforced.


[*] The first bullet point is actually about not providing a key, so no check needs to be done.

The second bullet point is about a previously provided key, so the check would be done as described.

Third bullet: yes we need to clarify. (AP6)  

[JLS] Sounds good.

12.  Section 7 - This text implies to me that all users of a group key need

to be able to act as servers and have a fixed port number which was supplied

some how to the GM so that it can be notified.   This could be done by

keeping up the DTLS session, but that is still a little bit tricky and would

not work for OSCORE based messages.  This text might want to point to the

section in the ietf-ace-key-groupcomm that deals with this and require that

the query or subscribe methods be supported.  Although both of those suffer

from the lack of hard break on the part of publishers.


[*] Yes, that is correct, group members would need to act as servers. The port number could be either default or part of the Join Request (in a new field “rekeying uri”?), with the group member assuming that the rekeying is done with this (unicast) default algorithm. The GM could then either confirm, or communicate to the joining node a different group rekeying scheme (in “group_policies”) and port and resource (in the new field “rekeying uri”) in the Join Response. However, that is quite heavy on the group member, which is a reason to use RD instead to discover in advance the rekeying scheme and rekeying uri as linked target attributes of the join resource. Would that work? Also why do you say that it would not work for OSCORE based messages? We could easily specify that when using the OSCORE profile between group member and GM, the nodes need to have both roles, so configure their keying material accordingly (for example: the group member’s recipient context need to contain a replay window). (AP7)

[JLS] I think that this may need to have a design session to figure out all of the ramifications and problems.